Query Details

Monitor DL Ls By Signer

Query

DeviceImageLoadEvents
| where TimeGenerated > ago(90d) //change to 30d if using advanced hunting with no sentinel
| where FileName contains ".dll"
| join kind=leftouter DeviceFileCertificateInfo on $left.SHA1 == $right.SHA1
| where FileName contains ".dll"
| summarize make_set(FileName) by Signer

Explanation

This query is designed to analyze device image load events, specifically focusing on DLL files, over the past 90 days (or 30 days if using advanced hunting without Sentinel). Here's a simple breakdown of what it does:

  1. Data Source: It starts by looking at the DeviceImageLoadEvents table, which contains records of files loaded by devices.

  2. Time Filter: It filters the events to only include those generated in the last 90 days. If you're using advanced hunting without Sentinel, you should change this to 30 days.

  3. File Filter: It further narrows down the events to only those where the file name contains ".dll", indicating that the file is a dynamic link library.

  4. Join Operation: The query performs a left outer join with the DeviceFileCertificateInfo table on the SHA1 hash of the files. This means it combines information from both tables based on matching SHA1 values, keeping all records from the DeviceImageLoadEvents table and adding matching records from the DeviceFileCertificateInfo table where available.

  5. Summarization: Finally, it summarizes the data by grouping the results based on the Signer (the entity that signed the file) and creates a set of unique DLL file names associated with each signer.

In essence, this query helps identify which DLL files have been loaded on devices, who signed them, and provides a list of unique DLLs for each signer over the specified time period.

Details

Jay Kerai profile picture

Jay Kerai

Released: January 14, 2026

Tables

DeviceImageLoadEventsDeviceFileCertificateInfo

Keywords

DeviceImageLoadEventsFileCertificateInfoNameSigner

Operators

whereago()contains()joinkind=leftoutersummarizemake_set()by

Actions

GitHub